Skip to content

FIDO2 Security Key Auth

This setup uses a FIDO2 security key through pam-u2f. The key becomes the preferred local authentication path for sudo, polkit prompts, and Hyprlock, while the account password stays available as fallback.

The daily path is touch-only. Do not add pinverification=1 unless you want the security-key PIN on every sudo, pkexec, and Hyprlock authentication.

It does not change LUKS disk decryption. Boot still uses the LUKS passphrase unless a separate LUKS token setup is configured.

Use Omarchy’s built-in FIDO2 setup first:

  1. Open the Omarchy menu.
  2. Go to Setup.
  3. Go to Security.
  4. Choose Fido2.
  5. Touch the security key when prompted.
  6. Let the script test sudo before closing the terminal.

The setup installs libfido2 and pam-u2f, registers the key with pamu2fcfg, stores the mapping at /etc/fido2/fido2, and adds pam_u2f.so to sudo and polkit-1.

The default Omarchy setup is touch-based. Keep that behaviour for daily use, then add Hyprlock manually.

Use this touch-only line in /etc/pam.d/sudo and /etc/pam.d/polkit-1:

auth sufficient pam_u2f.so cue [cue_prompt=Touch your security key] authfile=/etc/fido2/fido2

Keep the existing password lines below it. With sufficient, a successful security-key auth skips the password prompt; failure falls through to the password fallback.

Hyprlock uses its own PAM service. Omarchy’s FIDO2 setup does not add this line automatically, so prepend it to /etc/pam.d/hyprlock:

auth sufficient pam_u2f.so cue [cue_prompt=Touch your security key] authfile=/etc/fido2/fido2

Leave the default auth include login line below it so the normal password unlock still works.

Hyprlock config is stowed from the dotfiles repo. Edit the active host source, not Omarchy’s upstream config directory:

~/.config/dotfiles/hypr/.config/hypr/hosts/<host>/hyprlock.conf

Use generic security-key wording so the config works with non-Yubico keys too:

input-field {
placeholder_text = <span> Touch Security Key or Type Password </span>
check_text = <i>Touch your security key</i>
}

If the fingerprint setup script was run on a machine without a fingerprint reader, disable Hyprlock fingerprint auth in the same file:

auth {
fingerprint:enabled = false
}

Apply the stowed config:

Terminal window
dot stow
hyprctl configerrors

If Omarchy’s fingerprint setup was run by mistake, remove its PAM lines and packages:

Terminal window
pkexec sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo /etc/pam.d/polkit-1
pkexec pacman -Rns fprintd libfprint-git

Keep fingerprint:enabled = false in the stowed Hyprlock config.

pinverification=1 is stricter, but pam-u2f prompts for the security-key PIN on every PAM authentication. It does not cache the PIN for the whole login session.

Use PIN mode only if that tradeoff is intentional:

auth sufficient pam_u2f.so cue [cue_prompt=Touch your security key] pinverification=1 authfile=/etc/fido2/fido2

Test each layer before relying on it:

  1. Run sudo -k, then sudo true.
  2. Touch the security key when prompted.
  3. Trigger a polkit prompt if convenient.
  4. Lock the screen with Hyprlock while another session or terminal remains available.
  5. Test password fallback by trying without the security key.

Restore the backed-up PAM files, or remove only the added pam_u2f.so line from /etc/pam.d/hyprlock if the lock screen is the only broken part.

Do not delete /etc/fido2/fido2 unless you are fully removing FIDO2 auth.